PLAN AHEAD

Incorporate privacy and security from start to finish.

Thinking about the data you will collect and store while you design your product or service is only one part of “baking in” privacy. You also need processes in place to address issues that might arise in the future. Save time, money, and even your reputation by maintaining privacy and security practices that are holistic, regularly re-evaluated, and prepared for potential data security issues and legal demands.

While most businesses imagine shadowy hackers as their biggest security risk, in reality insiders with the ability to access records inappropriately can also pose a significant threat. To minimize this threat, adopt clear rules and technical approaches to prevent inappropriate access, thoroughly train individuals who handle user information in your privacy and security practices, and log and audit data access.

71% of employees in a variety of fields, including sales and business operations, said they have access to data they should not be able to see (2014).

Users were outraged and the company’s reputation was tarnished in 2007 when it came to light that the company had very poor internal security measures.

…

Users were outraged and the company’s reputation was tarnished in 2007 when it came to light that the company had very poor internal security measures. Users demanded change when it was widely reported that the company was not properly safeguarding the private profiles of its users from employee misuse and that employees could view users’ private profiles and track which users were viewing particular profiles.

Security breaches can undermine your users’ trust and cause them to take their data elsewhere. Many breaches can be prevented by taking steps to protect the systems and data under your direct control. Work with your engineering team and outside experts to implement security best practices such as network activity monitoring, endpoint security for devices that connect with your network, and routine system audits and software updates.

In addition to securing the data you hold, you need to make sure that your users’ data is secure even when it is not on your servers. If third parties are going to have access to your users’ data, make sure their privacy and security practices are consistent with your own. Consider how you can formally require third parties to meet your standards and verify compliance with those requirements.